Methods and apparatus are described for facilitating communication among a plurality of entities via an interoperability network. Each entity has policy data corresponding thereto governing interaction with the entity via the interoperability network. A message is transmitted from a first one of the entities to a second one of the entities. The first entity has first policy data corresponding thereto and the second entity has second policy data corresponding thereto. The transmitted message was handled in the network according to combined policy data representing a combination of the first and second policy data.
Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer program product embodied on a non-transitory computer readable medium for facilitating communication, comprising: at least one directory containing policy data for a plurality of entities stored therein, including: storing first policy data of a first one of the entities, the first one of the entities including a group defined by a role associated with a user and the first policy data used for authorization of the user, and storing second policy data of a second one of the entities, the second one of the entities including a data center and the second policy data used for control of access to information of the data center; computer code for receiving a message from the user for being transmitted in a network to the data center, the message for accessing by the user the information of the data center; computer code for, in response to the receipt of the message, identifying the first policy data of the group and the second policy data of the data center; computer code for, in response to the receipt of the message, merging the first policy data of the group and the second policy data of the data center to produce a combined policy; evaluating the combined policy with respect to the received message; determining whether the message is associated with a policy violation, based on the evaluation of the combined policy; rejecting the message when the determination is that the message is associated with the policy violation; and transmitting the message when the determination is that the message is not associated with the policy violation.
A software program facilitates secure communication between a user and a data center over a network. It works by maintaining a directory of policies for both. User policies, tied to a user's role, define authorization. Data center policies control information access. When a user sends a message to the data center requesting information, the software merges the user's policy and the data center's policy into a combined policy. This combined policy is evaluated against the message. If the message violates the combined policy, it's rejected. Otherwise, the message is transmitted to the data center. The software is stored on a non-transitory computer readable medium.
2. The computer program product of claim 1 , wherein the computer program product is operable such that a token is taken from a header of the message.
Building upon the secure communication software described previously, this version also extracts a security token from the header of the user's message. This token can be used as part of the policy evaluation process or for additional authentication and authorization checks before the message is processed. This adds an extra layer of security to the communication.
3. The computer program product of claim 1 , wherein the policy data of the first entity differs from the policy data of the second entity.
Building upon the secure communication software described previously, the policy data governing user access is different from the policy data that controls data center information access. This allows for granular control where user permissions and data security rules can be managed and configured independently, reflecting real-world scenarios where access privileges and data protection requirements are distinct.
4. The computer program product of claim 1 , wherein the message comprises a policy assertion.
Building upon the secure communication software described previously, the message sent from the user to the data center includes a policy assertion. This assertion explicitly states the user's claimed attributes or permissions, allowing the combined policy evaluation to directly consider the user's own declaration within the context of the overall access control.
5. The computer program product of claim 4 , wherein the policy assertion relates to identity.
Building upon the secure communication software where the user's message contains a policy assertion, the assertion specifically relates to the user's identity. This means the message explicitly declares who the user is, allowing the combined policy evaluation to verify the user's claimed identity against trusted sources or predefined roles, enhancing authentication and authorization accuracy.
6. A system for facilitating communication, comprising: at least one directory containing policy data for a plurality of entities stored therein, including: storing first policy data of a first one of the entities, the first one of the entities including a group defined by a role associated with a user and the first policy data used for authorization of the user, and storing second policy data of a second one of the entities, the second one of the entities including a data center and the second policy data used for control of access to information of the data center; a computer processor for: receiving a message from the user for being transmitted in a network to the data center, the message for accessing by the user the information of the data center; in response to the receipt of the message, identifying the first policy data of the group and the second policy data of the data center; in response to the receipt of the message, merging the first policy data of the group and the second policy data of the data center to produce a combined policy; evaluating the combined policy with respect to the received message; determining whether the message is associated with a policy violation, based on the evaluation of the combined policy; rejecting the message when the determination is that the message is associated with the policy violation; and transmitting the message when the determination is that the message is not associated with the policy violation.
A system facilitates secure communication between a user and a data center over a network. It includes a directory that stores policies for users and data centers. User policies, linked to user roles, define authorization. Data center policies control information access. A processor receives a user message requesting data center information, identifies relevant policies, merges them into a combined policy, and evaluates the message against this policy. Violating messages are rejected. Valid messages are transmitted.
7. A method for facilitating communication, comprising: providing at least one directory containing policy data for a plurality of entities stored therein, including: storing first policy data of a first one of the entities, the first one of the entities including a group defined by a role associated with a user and the first policy data used for authorization of the user, and storing second policy data of a second one of the entities, the second one of the entities including a data center and the second policy data used for control of access to information of the data center; receiving a message from the user for being transmitted in a network to the data center, the message for accessing by the user the information of the data center; in response to the receipt of the message, identifying the first policy data of the group and the second policy data of the data center; in response to the receipt of the message, merging the first policy data of the group and the second policy data of the data center to produce a combined policy; evaluating the combined policy with respect to the received message, utilizing a computer processor; determining whether the message is associated with a policy violation, based on the evaluation of the combined policy; rejecting the message when the determination is that the message is associated with the policy violation; and transmitting the message when the determination is that the message is not associated with the policy violation; wherein the above steps are performed by a computer processor.
A method facilitates secure communication between a user and a data center. It involves storing user and data center policies in a directory. User policies are linked to roles and used for authorization. Data center policies control information access. A processor receives a message from a user to a data center, identifies the user's and data center's policies, merges them, and evaluates the message against the combined policy. Messages violating the policy are rejected; otherwise, they are transmitted.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 31, 2012
August 20, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.